Digital Evidence and the Law: Casey Chapters 3 to 5 Notes

Evaluation and Presentation of Digital Evidence in Court

  • The Role of the Digital Investigator: The investigator's primary function is to present supporting facts and probabilities in a clear, factual, and objective manner.     * Courts depend on the trustworthiness of investigators and their ability to present technical evidence accurately.     * Professional work products must be free from advocacy or judgmental assertions.

  • The Process of Resolving a Case: The resolution process is divided into two primary phases:     * Law Enforcement Phase:         * Initiated by a violation of law, discovery, or accusation.         * Activities include: Seizure of evidence, preservation to prevent alteration, examination of materials, and analysis of content.         * The goal is to produce admissible evidence.         * Forensic experts evaluate evidence for suitability and report findings.     * Judicial Phase:         * Begins once evidence is deemed admissible.         * Components: Merits discovery, interrogatories, case presentation, expert testimony, cross-examination, and closing arguments.         * Results in a verdict and potential sentencing.     * Non-Linear Nature: Practical investigations rarely follow a linear path. Analysis often reveals the need for more evidence, requiring investigators to return to the seizure step.

Expert Witness Duties and Objectivity

  • Objective Truth: Experts have a duty to present the unbiased truth. Advocacy is the responsibility of attorneys, not experts.

  • UK Criminal Procedure Rules: These rules define three specific expert obligations:     1. Helping the court achieve the overriding objective by providing objective, unbiased opinions within the expert's field of expertise.     2. This duty overrides any obligation to the person instructing or paying the expert (loyalty is to the truth, not the client).     3. Obligation to inform all parties and the court if the expert’s opinion changes from what was previously stated in reports or statements.

  • Pressures on Objectivity:     * Prosecution/Law Enforcement: May push for conclusions supporting their case.     * Clients/Attorneys: May present emotionally charged positions or ask for favorable conclusions beyond what the evidence supports.     * Peer Pressure: Some organizations prohibit members from working for the defense, potentially introducing bias.     * Judgmental Caution: Investigators must not formally assert guilt; that is a determination for the court.

Admissibility of Digital Evidence: The Lorraine v. Markle Framework

  • General Guidelines: Established in Lorraine v. Markle American Insurance Company (2007), five issues must be considered for the admissibility of digital evidence:     1. Relevance: Evidence must help prove or disprove a fact at issue.     2. Authenticity: The court must be satisfied the evidence is what it claims to be (verified source and integrity).     3. Hearsay: Statements made out of court offered to prove the truth of the matter asserted; generally excluded unless an exception applies.     4. Best Evidence Rule: Preference for original or acceptable duplicates.     5. Undue Prejudice: Probative value must outweigh the risk of unfair prejudice.

Constitutional Constraints and Search Requirements

  • The Fourth Amendment: Requires a search warrant for law enforcement to search a person’s house, person, papers, and effects.     * Requirements for a Warrant: Must demonstrate probable cause, detail the place to be searched, and specify persons or things to be seized.     * Standard for Judges: Must be convinced a crime was committed, evidence exists, and is likely at the location specified.

  • Search Types and Exceptions:     * Consensual Searches: Many searches are conducted with consent. However, investigators must stop if consent is withdrawn. Evidence found may be used to obtain a later warrant.     * Plain View and Scope: In United States v. Carey (1998), child pornography found during a drug search was ruled inadmissible because it was outside the scope. The proper procedure is to halt and obtain a second warrant for new crimes.     * The Electronic Communications Privacy Act (ECPA): Prohibits anyone (not just government) from unlawfully accessing or intercepting electronic communications. Unlike the 4th Amendment, it applies to private parties as well.

Authentication and Reliability of Evidence

  • Four Elements of Authentication:     1. Source: Clearing the specific computer or location of acquisition.     2. Acquisition Procedure: Demonstrating a complete and accurate copy was made.     3. Chain of Custody: Continuous documentation linking evidence to the crime and ensuring it was controlled.     4. Integrity Documentation: Using cryptographic hash values to prove no alteration. Bad sectors should be documented if they affect file integrity.

  • Approaches to Reliability:     * System Reliability: Focusing on whether the computer was functioning normally (Federal Rules of Evidence requirement). Difficult to certify due to system complexity.     * Evidence-Specific Reliability: Identifying malicious tampering or file-specific corruption. In the UK, Section 69 of PACE (which required positive assertion of system health) was largely abandoned in 20012001 in favor of a common law presumption that mechanical instruments are in order unless proven otherwise.

The Best Evidence Rule and Hearsay in Digital Forensics

  • Best Evidence Rule: In digital technology, bit-for-bit identical duplicates are generally acceptable in place of originals. Printouts may be equivalent but may lack critical metadata (e.g., Microsoft Word edits/notes).

  • Hearsay Rules: Defined by Hoey (1996) as out-of-court statements produced to prove truth. Crucial in forensics because much evidence consists of records containing human statements.     * Example: An email where someone confesses to a crime is hearsay if used to prove the content; it requires a confession or corroborating evidence.     * Business Records Exception: Records are admissible if made at or near the time of event, by a person with knowledge, in the course of regularly conducted business, as part of regular practice.     * DOJ Manual (2002) Distinction:         * Computer-Stored Records: Contain human statements (email, chat); must comply with hearsay rules.         * Computer-Generated Records: Output of programs (login logs, ATM receipts); issue is authenticity/system function, not hearsay.

Evaluating Certainty and Likelihood

  • Sources of Uncertainty:     * Incorrect system clocks.     * Ambigious timestamps (UTC vs. local).     * IP address routing (proxies, NAT, VPNs).     * GPS inaccuracies.

  • Terminology:     * "Consistent with": Should only be used if two things are identical.     * "Compatible with": Use if evidence can be explained by an event but is not identical to it.

  • Casey’s Certainty Scale:     * C0: Evidence contradicts known facts; erroneous.     * C1: Highly questionable.     * C2: Single source, not protected against tampering.     * C3: Protected but insufficient evidence for firm conclusion or unexplained inconsistencies.     * C4: Protected against tampering OR multiple independent sources agree.     * C5: Multiple independent, protected sources agree.     * C6: Tamper-proof or high statistical confidence.

Case Studies in Digital Evidence

  • United States v. Turner (1999): Discussed whether a detective could reasonably expect to find evidence of sexual assault on a computer during a consent search.

  • Sean Carpenter (2005): Security professional at Sandia tracking Chinese intruders. Fired after becoming an FBI informant and hacking back. Awarded over 5,000,0005,000,000 in damages.

  • State v. Allen (1996): Kansas Supreme Court ruled that "approaching" a computer (war dialing/port scanning) was too vague for criminal liability under the access statute.

US Federal Cybercrime Statutes

  • Computer Fraud and Abuse Act (CFAA) - 18 U.S.C.  1030:     * (a)(1): Unauthorized access to obtain classified national defense/foreign relations info.     * (a)(2): Unauthorized access to obtain financial, government, or private sector computer info.     * (a)(3): Unauthorized access to nonpublic government computers.     * (a)(4): Computer fraud (intent to defraud and obtaining value > 5,0005,000).     * (a)(5): Damage to systems (malware/DDoS); categorized by intent (knowing, intentional, or reckless).     * (a)(6): Trafficking in passwords with intent to defraud.     * (a)(7): Computer-related extortion.

  • Identity Theft Enforcement and Restitution Act (2008): Modified CFAA definitions and added conspiracy provisions.

  • Identity Theft (18 U.S.C.  1028):     * Section 1028(a)(7): Basic identity theft; must be linked to a crime under state/federal law.     * Section 1028A: Aggravated identity theft. Mandatory 22-year consecutive sentence (55 years for terrorism-related crimes).

  • Intellectual Property and Child Pornography:     * No Electronic Theft (NET) Act (1997): Criminalizes infringement even without profit motive.     * CPPA (1996) & Ashcroft v. Free Speech Coalition (2002): Struck down bans on virtual child pornography (must involve actual minors unless it meets obscene standards).

Scientific Evidence Standards (Daubert Criteria)

  • Daubert v. Merrill Dow Pharmaceuticals (1993): Four criteria used in most US states to evaluate technical/scientific evidence:     1. Testability: Can the theory/technique be tested?     2. Error Rate: Is there a known potential rate of error and standards controlling operation?     3. Peer Review: Has it been subjected to publication/review?     4. General Acceptance: Is it accepted within the relevant scientific community?

Formal Expert Reports Structure

  1. Introduction: Overview, context, requestor ID, and investigator credentials (CV attached).

  2. Evidence Summary: Unique identification (Make, Model, Serial, Hash), physical condition, and processing tools.

  3. Examination Summary: Executive summary of critical findings (decryption, undeletion, NSRL hash sets).

  4. File System Examination: Inventory of files, paths, timestamps, hashes, and sector locations. Documentation of mass deletion/wiping.

  5. Forensic Analysis and Findings: Detailed description of analysis and specific locations of findings. Includes visual exhibits (photos/screenshots).

  6. Conclusions: Logical extension of findings; must be objective and avoid assertions of guilt/innocence.

Constitutional Privacy and Metadata

  • Katz v. United States (1967): Establishes the "Reasonable Expectation of Privacy" test. Protects people, not places.

  • Smith v. Maryland (1979): Distinguishes between content (protected/requires warrant) and traffic/metadata data (shared with providers, not protected).

  • Kyllo v. United States (2001): Use of technology "not in general public use" (like thermal imaging) to explore a home constitutes an unreasonable search without a warrant.

  • Fifth Amendment and Encryption:     * Privilege against self-incrimination: Requires compulsion, testimony, and incrimination.     * In re Boucher (2007): Ruled that producing an encryption key/entering a password is testimonial and can be protected under the 5th Amendment.